Gpcode "ransomware" virus was the work of a single person believed to be a Russian national

By John E. Dunn

Techworld.com|Sep 30, 2008

The infamous Gpcode "ransomware" virus that hit computers in July was the work of a single person who is known to the authorities, a source close to the hunt for the attacker has told Techworld.

The individual is believed to be a Russian national, and has been in contact with at least one anti-malware company, Kaspersky Lab, in an attempt to sell a tool that could be used to decrypt victims' files.

Initially sceptical, the company was able to verify that the individual was the author of the latest Gpcode attack -- and probably earlier attacks in 2006 and 2007 -- using a variety of forensic evidence, not least that he was able to provide a tool containing the RC4 key able to decrypt the work of the malware on a single PC.

The 128-bit RC4 keys, used to encrypt the user's data, are unique for every attack. The part that had stymied researchers was that this key had, in turn, been encrypted using an effectively unbreakable 1,024-bit RSA public key, generated in tandem with the virus author's private key. But the tool did at least prove that the individual had access to the private "master" key and must therefore be genuine.

Kaspersky Lab set about locating the man by resolving the proxied IP addresses used to communicate with the world to their real addresses. The proxied addresses turned out to be zombie PCs in countries such as the United States, which pointed to the fact that Gpcode's author had almost certainly used compromised PCs from a single botnet to get Gpcode on to victim's machines.

Tracking down the owners of these PCs proved extremely difficult, with service provider Yahoo, for one, allegedly refusing to cooperate with the investigation on privacy grounds. Foreign police were informed, however, as were the Russian authorities. Armed with enough circumstantial evidence, "they were interested," the Kaspersky source confirmed.

To date, it is not clear what if any action the authorities plan to take.

For its part, Kaspersky Lab confirmed that it had been contact with a dozen victims from Russia, Hungary, and Slovakia, at whose populations the program appears to have been primarily aimed. Gpcode has since struck further afield, hitting a medical institution in Cuba and, unconfirmed rumors claim, government offices in the United States.

Gpcode has appeared in a number of variants since 2006, each using ever-stronger encryption. The program's approach is direct and frightening. Once on a system, it sets about encrypting all data files it finds with any one of 143 file extension types, rendering them inaccessible. Victims are then told they can recover the files by paying a ransom to the author, reachable through a Yahoo e-mail account.

The innovation of the latest Gpcode attack was that it generated keys to the RC4 stream cipher using 1,024-bit RSA, a much higher bit length than previous versions, which made it, to all practical intents and purposes, uncrackable.

Luckily, on this occasion, Gpcode's author had made a number of more basic programming errors that allowed researchers to construct a method for recovering files. It turned out that while encrypting data, the original files had been "deleted" using the Windows file system. This meant that although invisible to the operating system, the files were still on the disk and could be recovered using available tools.

One thing Gpcode has made clear is that technology alone can't now defend against this type of malware. Once on an undefended PC, reversing its effects depends on having access to the private RSA key, and that means tracking down the author.

According to Kaspersky, stopping ransomware-based malware in the future will require more effective law enforcement, the use of forensic software analysis to tie suspects to their malevolent creations, and possibly building restrictions into the Windows cryptographic software libraries used to create Gpcode itself.

Despite its frightening reputation, ransomware is still, thankfully, a rare phenomenon. There are various theories as to why this is the case, ranging from the complexity of the software itself to the difficulty of setting up a reliable channel through which to accept "ransom" payments from victims. Other, easier types of malware might just be more profitable to criminals.